Advanced persistent threats have emerged as one of the top risks for organizations. Usually carried out by highly experienced attackers, APTs entail the infiltration of a secure network for an extended period of time. The goal isn't so much to cause immediate damage through instruments such as malware or viruses, but to steal sensitive data from banks, government agencies and healthcare providers.
Accordingly, APTs are atypical in that they're not designed to quickly bypass intrusion detection systems and get out as soon as possible. Rather, they aim for continuous network access, which necessitates virtually full-time administration from their perpetrators. By definition, APTs are sophisticated attacks that are resilient against most mainstream cybersecurity solutions and specifically targeted at high-profile institutions.
"Standard protection products' signature-based, one-size-fits-all approach cannot deal with the custom nature of targeted attacks and their dedicated perpetrators," stated the authors of "Countering the Advanced Persistent Threat Challenge with Deep Discovery," a recent Trend Micro white paper on APTs. "The malware, communications, and attacker activities used in targeted attacks are invisible to standard endpoint, gateway, and network security measures."
The complexity of APTs hardly means that organizations are powerless to stop them. Data transmissions are never invisible, but it may take an experienced eye as well as appropriate tools to pin down the APT before it causes lasting damage. Moreover, the specter of APTs makes a good case for broad implementation of continuous authentication and monitoring techniques that can catch anomalies sooner than a static approach.
APTs of the past: Red October, RSA and Luckycat
APTs are often international and intertwined with espionage and similarly high-stakes activities. For example, in 2013, cybersecurity researchers discovered Red October, an APT that had been active since at least 2007 and was using 60 domain names and servers hosting providers spread across multiple countries. This infrastructure was carefully set up to mask the location of the control server, underscoring the advanced tactics that APT often use.
Red October's targets may have included embassies and government agencies around the world, as well as scientific research outfits. The malware that it used, Rocra, had a modular architecture with backdoor Trojans, and it successfully scraped files with extensions such as the .acid- suffixes used by organizations such as NATO and the European Union. Overall, Red October used sophisticated methods to acquire the sensitive data that its designers wanted.
Other APTs have exhibited similar structures. A 2011 APT against RSA began with a spear-phishing email that contained a malicious spreadsheet. Once downloaded, it took advantage of known exploits to funnel protected files via FTP. As a finishing touch, the files were deleted from the host to cover the attackers' tracks.
The Luckycat APT has been going on since 2011 and also uses spear-phishing as a method of entry. Perpetrated by cybercriminals in China, its targets have spanned Japan, India and Tibet, and there may even be a mobile component, with several Android apps identified as capable of communicating with Luckycat command-and-control servers.
What do all of these APTs have in common? They were the products of careful planning and concerted technical execution. Assiduous intelligence gathering puts attackers in a position to target specific populations with compelling phishing emails. Once inside the network, APTs often spread quickly, taking over additional machines and evolving as their designers search for particular information repositories.
APT may threaten small and big businesses
Although APTs have so far predominantly targeted nation-states and international organizations, businesses of all sizes are also at risk, often from obvious vulnerabilities that go unattended. In 2011, hundreds of thousands of credentials were stolen from Citibank websites after cybercriminals came up with a script that simply changed the numbers at the end of URLs that online users saw after logging in.
Detecting the attack would have been a straightforward matter of setting up mechanisms that flagged suspicious input and frequently repeated attempts. The bank would also have needed to look at its Java implementations, since flaws in this widely used framework also enabled the APT creators to lift information from Citi's Oracle databases.
Still, reducing exposure to APTs is sometimes easier said than done. Even simple fixes to Java or Web security can have surprisingly high price tags that discourage organizations from moving quickly. Accordingly, companies may recognize the risks, but feel that they can't do anything to mitigate them. A recent ISACA member survey found that 21 percent of enterprises had already been victimized by an APT, while 63 percent expected that they would eventually be targeted.
Mitigating APT risks
What can organizations do to protect themselves from APTs? Despite the air of inevitability about falling victim to an advanced attack, they have a lot of options, from big data analytics that set up useful baselines for network activity to more comprehensive infrastructure testing. New strategies from cybersecurity personnel will also help.
"We need security professionals to be inquisitive – to be looking out for the things that don't exactly make sense, and to ask themselves what it could mean, and how they should look deeper into the issue," Palo Alto Networks senior analyst Wade Williamson told CSO. "We will always need automated security that blocks bad things, but we also need creative, engaged security experts to be looking for the creative, engaged bad guys on the other end of the connection."
Specific solutions such as Trend Micro Deep Discovery provide another way to stay ahead of APTs. This product complements existing mechanisms such as Web gateways and provides real-time analysis and reporting on network events.
The Deep Discovery Inspector component can catch malicious content such as emails with embedded exploits, drive-by downloads and zero-day malware. In addition, it looks for suspect communications with command-and-control servers, as well as exfiltration and other malicious activity.
Ultimately, warding off APTs should entail setting up a custom defense and detection strategy and also using solutions that integrate with existing endpoint and messaging security. The global intelligence provided by the cybersecurity community is an important component in the fight against APTs since it provides context and intelligence about advanced threats. While combating APTs isn't the easiest task, with the proper strategy and tools organizations can keep networks and data safe.